CVE-2024-50687

CVE-2024-50687 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting SunGrow iSolarCloud platforms prior to the remediation released on October 31, 2024. The flaw exists in the devService API model, allowing unauthorized access to objects through direct references without proper access controls.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality and integrity violations, such as reading or modifying sensitive data belonging to other users or entities via manipulated API requests.

SunGrow published a security notice detailing the issue at https://en.sungrowpower.com/security-notice-detail-2/6114, confirming the remediation deployed on October 31, 2024, as the primary mitigation for affected iSolarCloud instances.